UC Retirement System Lacked Computer Security, Study Says

Chronicle Staff Report

Published 4:00 am, Thursday, March 14, 1996

Lax computer security and easily obtainable passwords could have given hackers access to funds from the University of California's retirement system, a study commissioned by the university has revealed.

The university's computer, which controls the $20 billion retirement system, was "severely lacking security and controls in many areas," according to the 33-page report delivered to the university four months ago and released yesterday.

University spokesman Terry Colvin quickly pointed out that no hacking took place, no money was lost and that the security lapses were corrected. He said the authors of the study "overestimated the security problems."

The report, prepared by Infortal Associates of San Jose, found that key records and security provisions were kept on a vulnerable computer network, not on a secure mainframe computer. It also found that the system's "audit trail" -- which records changes in data -- was flimsy and easily to disable. Also, no one was responsible for reviewing audit logs.

The retirement records are "accessible from the Internet," the report said. Infortal investigators said they "successfully logged into the system through the Internet . . . using a password known to many people."

According to the report, hackers could have gotten into the computer through "nonprivileged" means and obtained a "master password" and access to the entire system.

But the director of computer systems for UC's office of the president disputed that finding.

"It's true the passwords are going over the network and a sophisticated networking individual could pick off a password," said Jim Dolgonas, director of information systems and computing. f"But that doesn't mean somebody could breach the security. We have multiple levels of security.

"In the unlikely event that an individual was able to get a password from the network, there are a number of other security measures you have to get through before they could get to data."